That’s the most annoying mystery of these superphones that we carry everywhere. It’s a master key to pretty much everything we’ve got going on in our lives: where we’ve been, the people with whom we associate, what we say, and all of the things we’ve seen that we considered worth snapshotting. The phone maker should be both completely open about the data the device collects and should act as though disastrous things would happen if that data were ever to fall into the wrong hands. Because they would. The worst-case scenario of a lost or stolen or otherwise compromised phone is pretty goddamned bad.

So imagine my disappointment when I visited this page (thoughtfully forwarded to me by Dave Bittner). Developers Alasdair Allan and Pete Warden, while working on some mobile data-visualization tools, poked around inside their iPhones and found an SQL database containing a detailed log of the phone’s locations over the past several months. To demonstrate the problem, they wrote a little app that will pull up this file from your desktop iPhone backup, analyze it, and “replay” your movements over time on a map.

Yeah, it works. The app was written just as an illustration, so it intentionally fudges the accuracy. But if I fast-forward to last summer, I reveal a very rough track of the day I decided to blow off work and go to the Cape for an afternoon of swimming and fried clams. Here’s a video demo of the map, provided by the developers:

A few reality checks, lest I inadvertently do a Glenn Beck number on all of you, here:

This database isn’t storing GPS data. It’s just making a rough location fix based on nearby cell towers. The database can’t reveal where you were…only that you were in a certain vicinity. Sometimes it’s miles and miles off. This implies that the logfile’s purpose is to track the performance of the phone and the network, and not the movements of the user.

A third party couldn’t get access to this file without physical access to your computer or your iPhone. Not unless you’ve jailbroken your iPhone and didn’t bother resetting its remote-access password…or there’s an unpatched exploit that would give Random Person On The Internet root access to your phone.

It’s pretty much a non-issue if you’ve clicked the “Encrypt iPhone Backup” option in iTunes. Even with physical access to your desktop, a no-goodnik wouldn’t be able to access the logfile.

But still! What a nervous can of worms. This is an open, unlocked file in a known location in a standard database format that anybody can read. If someone has physical access to your Mac — or remote access to your user account — it’s a simple matter of copying a file and opening it. And while the logfile can’t tell someone that you were at a specific house, it can obviously tell your boss that you went to the Cape on the day you called in sick.

And it’s not as though Apple and these two developers are the only people who know that this file exists and that it’s so easy to access. By the time the Good Guys blow the whistle, the Bad Guys have had it for months. Lord only knows what they’ve been doing with this information.

It’s also, frankly, another reason why I value my iPhone’s “remote nuke” feature and wish it were possible to nuke all data directly from the handset. I can’t think of any circumstance under which my location data would possibly be damaging, incriminating, or even just embarrassing. That’s not the point: if I can’t control the data that my phone is collecting, I should at least have the power to destroy it utterly.

[Edited to clarify: what I want is a real “overwrite with zeros” feature, like the one you see in Disk Utility. Yup, you can go to Preferences and restore your iPhone to factory settings but I believe that this leaves your data vulnerable to recovery. I imagine a made-for-TV kind of scene in which the Angry Lawyer Bringing A Frivolous Lawsuit Against Me is fumbling for his phone, trying to get a court order to mine data off of my iPhone but before the paperwork comes through, I’ve already tapped nineteen buttons and there’s nothing on that phone that can be recovered.]

Finally, there’s “The ‘Ick’ Factor.” I don’t believe that Apple is up to anything nefarious here (again, I think it’s tracking the performance of the phone and not the movements of the user) but it makes the iPhone look very, very bad. That’s not to say that other phones don’t do even ickier things with user data…but this one’s big and public and easy to demonstrate on a nightly newscast.

Apple should treat this like a serious problem. I’ll be very, very pleased if I or anybody else can get a statement from them explaining what this file is for, and how the next iOS update will secure it.

I think this tracking is done for Apple’s Wi-Fi location service; that is, their Skyhook replacement. CoreLocation works far better indoors with iOS 4 than with iOS 3, and I think it’s because Apple is passively collecting data about where the world’s Wi-Fi hotspots are from the millions of iOS devices actively in use.

Andy, I hope you’ll be able to clear up some of the confusion about this issue on the next MacBreak Weekly – even Leo still doesn’t seem to understand what the purpose of this database is!

Westacular’s comment here makes the key point: this is not a log of your phone’s movements, it’s a cached portion of Apple’s cell tower and wi-fi hotspot location database. Each location is only in the database once. If the database in question was logging your movements, you’d expect the locations you go to most often to have multiple entries – but this is not the case. The timestamp lets the system figure out how old (and thus potentially out-of-date) each entry is – essential for the operation of a cache.

There was a WWDC session last year about iOS and Core Location and it explains that as well as downloading the cell tower and wi-fi hotspot location data for your immediate vicinity, iOS also downloads hundreds of entries for cell towers and wi-fi hotspots in a radius around your current location. The point of this is that the device won’t have to query Apple again the second you move from your current position – this saves battery, internet bandwidth, etc. Also this allows wi-fi only devices to still get location fixes even when they’ve moved out of range of a wi-fi hotspot that they can use to get onto the internet (they can still use the list of wi-fi hotspots that they can “see” and look them up in the cached location database). The fact that many locations are downloaded into the cache in batches is easily seen by the fact that many entries in the CellLocations table have the same timestamp.